d79aff6abd7bf0127fcdcdaa6ba3ea873485e5e914d359dbdfa28d29b26b008d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d79aff6abd7bf0127fcdcdaa6ba3ea873485e5e914d359dbdfa28d29b26b008d.exe
Size

92KB
MD5

8433d52287dea64fd009dece3978679d
SHA1

b6df9d3bc84276f536ac719b7fa9aff67ff04773
SHA256

d79aff6abd7bf0127fcdcdaa6ba3ea873485e5e914d359dbdfa28d29b26b008d
SHA512

db9a26818e2ecbfcbe1f6d7b5e7ffe2223d7892c6ce323ebb44ecbb8ce23a6db0ca895d6b12011f1e35d537af9e9b977ead212254d7633cfec0224c4dd3ecbcd
SSDEEP

1536:SX5rJgPi8bEPVALCAdVU6jXq+66DFUABABOVLefE3:wxJgPi8bEPhAdVU6j6+JB8M3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d79aff6abd7bf0127fcdcdaa6ba3ea873485e5e914d359dbdfa28d29b26b008d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe

Executes dropped EXE 64 IoCs

pid	Process
3852	Jbhmdbnp.exe
1652	Jjpeepnb.exe
4704	Jmnaakne.exe
5080	Jaimbj32.exe
1128	Jplmmfmi.exe
3068	Jbkjjblm.exe
1660	Jidbflcj.exe
3496	Jmpngk32.exe
1100	Jpojcf32.exe
4032	Jbmfoa32.exe
2344	Jfhbppbc.exe
2308	Jigollag.exe
1604	Jmbklj32.exe
3400	Jdmcidam.exe
3512	Jfkoeppq.exe
2732	Jiikak32.exe
4292	Kpccnefa.exe
2656	Kdopod32.exe
4220	Kgmlkp32.exe
5012	Kilhgk32.exe
2460	Kacphh32.exe
3828	Kdaldd32.exe
396	Kbdmpqcb.exe
4372	Kkkdan32.exe
5004	Kmjqmi32.exe
2976	Kphmie32.exe
3940	Kdcijcke.exe
4448	Kgbefoji.exe
4348	Kipabjil.exe
1060	Kmlnbi32.exe
4380	Kpjjod32.exe
1672	Kcifkp32.exe
2440	Kkpnlm32.exe
5104	Kibnhjgj.exe
696	Kmnjhioc.exe
4280	Kpmfddnf.exe
744	Kdhbec32.exe
876	Kgfoan32.exe
2584	Kkbkamnl.exe
3516	Lmqgnhmp.exe
3216	Lalcng32.exe
2504	Ldkojb32.exe
4480	Lcmofolg.exe
2840	Lkdggmlj.exe
5044	Lmccchkn.exe
4504	Laopdgcg.exe
2516	Lcpllo32.exe
768	Lkgdml32.exe
4496	Lnepih32.exe
4716	Laalifad.exe
3924	Ldohebqh.exe
3780	Lgneampk.exe
4268	Lkiqbl32.exe
432	Lilanioo.exe
560	Laciofpa.exe
2648	Ldaeka32.exe
1524	Lgpagm32.exe
1516	Lklnhlfb.exe
1384	Lnjjdgee.exe
3688	Lphfpbdi.exe
2148	Lddbqa32.exe
1200	Lgbnmm32.exe
2292	Mjqjih32.exe
3948	Mnlfigcc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	d79aff6abd7bf0127fcdcdaa6ba3ea873485e5e914d359dbdfa28d29b26b008d.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5760	5588	WerFault.exe	200

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	d79aff6abd7bf0127fcdcdaa6ba3ea873485e5e914d359dbdfa28d29b26b008d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d79aff6abd7bf0127fcdcdaa6ba3ea873485e5e914d359dbdfa28d29b26b008d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 3852	4116	d79aff6abd7bf0127fcdcdaa6ba3ea873485e5e914d359dbdfa28d29b26b008d.exe	91
PID 4116 wrote to memory of 3852	4116	d79aff6abd7bf0127fcdcdaa6ba3ea873485e5e914d359dbdfa28d29b26b008d.exe	91
PID 4116 wrote to memory of 3852	4116	d79aff6abd7bf0127fcdcdaa6ba3ea873485e5e914d359dbdfa28d29b26b008d.exe	91
PID 3852 wrote to memory of 1652	3852	Jbhmdbnp.exe	92
PID 3852 wrote to memory of 1652	3852	Jbhmdbnp.exe	92
PID 3852 wrote to memory of 1652	3852	Jbhmdbnp.exe	92
PID 1652 wrote to memory of 4704	1652	Jjpeepnb.exe	93
PID 1652 wrote to memory of 4704	1652	Jjpeepnb.exe	93
PID 1652 wrote to memory of 4704	1652	Jjpeepnb.exe	93
PID 4704 wrote to memory of 5080	4704	Jmnaakne.exe	94
PID 4704 wrote to memory of 5080	4704	Jmnaakne.exe	94
PID 4704 wrote to memory of 5080	4704	Jmnaakne.exe	94
PID 5080 wrote to memory of 1128	5080	Jaimbj32.exe	95
PID 5080 wrote to memory of 1128	5080	Jaimbj32.exe	95
PID 5080 wrote to memory of 1128	5080	Jaimbj32.exe	95
PID 1128 wrote to memory of 3068	1128	Jplmmfmi.exe	96
PID 1128 wrote to memory of 3068	1128	Jplmmfmi.exe	96
PID 1128 wrote to memory of 3068	1128	Jplmmfmi.exe	96
PID 3068 wrote to memory of 1660	3068	Jbkjjblm.exe	97
PID 3068 wrote to memory of 1660	3068	Jbkjjblm.exe	97
PID 3068 wrote to memory of 1660	3068	Jbkjjblm.exe	97
PID 1660 wrote to memory of 3496	1660	Jidbflcj.exe	98
PID 1660 wrote to memory of 3496	1660	Jidbflcj.exe	98
PID 1660 wrote to memory of 3496	1660	Jidbflcj.exe	98
PID 3496 wrote to memory of 1100	3496	Jmpngk32.exe	99
PID 3496 wrote to memory of 1100	3496	Jmpngk32.exe	99
PID 3496 wrote to memory of 1100	3496	Jmpngk32.exe	99
PID 1100 wrote to memory of 4032	1100	Jpojcf32.exe	100
PID 1100 wrote to memory of 4032	1100	Jpojcf32.exe	100
PID 1100 wrote to memory of 4032	1100	Jpojcf32.exe	100
PID 4032 wrote to memory of 2344	4032	Jbmfoa32.exe	101
PID 4032 wrote to memory of 2344	4032	Jbmfoa32.exe	101
PID 4032 wrote to memory of 2344	4032	Jbmfoa32.exe	101
PID 2344 wrote to memory of 2308	2344	Jfhbppbc.exe	103
PID 2344 wrote to memory of 2308	2344	Jfhbppbc.exe	103
PID 2344 wrote to memory of 2308	2344	Jfhbppbc.exe	103
PID 2308 wrote to memory of 1604	2308	Jigollag.exe	104
PID 2308 wrote to memory of 1604	2308	Jigollag.exe	104
PID 2308 wrote to memory of 1604	2308	Jigollag.exe	104
PID 1604 wrote to memory of 3400	1604	Jmbklj32.exe	105
PID 1604 wrote to memory of 3400	1604	Jmbklj32.exe	105
PID 1604 wrote to memory of 3400	1604	Jmbklj32.exe	105
PID 3400 wrote to memory of 3512	3400	Jdmcidam.exe	106
PID 3400 wrote to memory of 3512	3400	Jdmcidam.exe	106
PID 3400 wrote to memory of 3512	3400	Jdmcidam.exe	106
PID 3512 wrote to memory of 2732	3512	Jfkoeppq.exe	107
PID 3512 wrote to memory of 2732	3512	Jfkoeppq.exe	107
PID 3512 wrote to memory of 2732	3512	Jfkoeppq.exe	107
PID 2732 wrote to memory of 4292	2732	Jiikak32.exe	109
PID 2732 wrote to memory of 4292	2732	Jiikak32.exe	109
PID 2732 wrote to memory of 4292	2732	Jiikak32.exe	109
PID 4292 wrote to memory of 2656	4292	Kpccnefa.exe	110
PID 4292 wrote to memory of 2656	4292	Kpccnefa.exe	110
PID 4292 wrote to memory of 2656	4292	Kpccnefa.exe	110
PID 2656 wrote to memory of 4220	2656	Kdopod32.exe	111
PID 2656 wrote to memory of 4220	2656	Kdopod32.exe	111
PID 2656 wrote to memory of 4220	2656	Kdopod32.exe	111
PID 4220 wrote to memory of 5012	4220	Kgmlkp32.exe	112
PID 4220 wrote to memory of 5012	4220	Kgmlkp32.exe	112
PID 4220 wrote to memory of 5012	4220	Kgmlkp32.exe	112
PID 5012 wrote to memory of 2460	5012	Kilhgk32.exe	113
PID 5012 wrote to memory of 2460	5012	Kilhgk32.exe	113
PID 5012 wrote to memory of 2460	5012	Kilhgk32.exe	113
PID 2460 wrote to memory of 3828	2460	Kacphh32.exe	115

C:\Users\Admin\AppData\Local\Temp\d79aff6abd7bf0127fcdcdaa6ba3ea873485e5e914d359dbdfa28d29b26b008d.exe
"C:\Users\Admin\AppData\Local\Temp\d79aff6abd7bf0127fcdcdaa6ba3ea873485e5e914d359dbdfa28d29b26b008d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\SysWOW64\Jbhmdbnp.exe
  C:\Windows\system32\Jbhmdbnp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3852
- - C:\Windows\SysWOW64\Jjpeepnb.exe
    C:\Windows\system32\Jjpeepnb.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\SysWOW64\Jmnaakne.exe
      C:\Windows\system32\Jmnaakne.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4704
    - - C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5080
      - C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2976
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        28⤵
        Executes dropped EXE
        
        PID:3940
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        36⤵
        Executes dropped EXE
        
        PID:696
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        51⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        52⤵
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3780
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:432
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        66⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        67⤵
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3304
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        71⤵
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        72⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3960
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4308
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        76⤵
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        77⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        85⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        86⤵
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        89⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        94⤵
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        95⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        96⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        101⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        103⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        108⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 400
        109⤵
        Program crash
        
        PID:5760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5588 -ip 5588
1⤵
PID:5700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
92KB

MD5
9500ab597feabec7bdaab7e81237b828

SHA1
e75c663e425688e0d3311ddc44f176f78b76ee2f

SHA256
d5ad2a26f42ea84f5463b4514ffc58aa5316e3d908f05c9b2f2f145ab870690d

SHA512
5ca12c9ea7e72204159d38c55cad0443c59beaca63aac50b6999336462230f4241be8fe923b79c045b9dcee15aafab4bd03d56ab2524aa5db726ead8b91cfb57

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
92KB

MD5
e75a8e005b5ae8e585f192d1593dd8c7

SHA1
745cbd1878593e71797ce803e81946697f1fdbc5

SHA256
37dca71c390c3946105f0804a6351c1cebdfe1f7a14f7716170993a19b75a1e4

SHA512
44d86dc09bf6ffd2922ad1ed0cc662c505088b3b9b698836bff200b5a1c72f2f04c60452390ffee729a9186384f524028945ee57cc55f7fb63984d9e4f42edd1

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
92KB

MD5
69cf2401b7981d16ddc307f2a6f54f0a

SHA1
decc4cf5cb6ce987b241dd6ac2a9168ed5d7e996

SHA256
07f9a779e75a156e7095ecd592a355221e662b64bea62f3d4f6134abf098295a

SHA512
ef4ac26eb5c366778a4646194cf55658f1fed7dc021733bca94c56406c48dbbba03f722b0cb03b4dd543dadd794138d756c9c684314955d4cc4504ce659e2bc8

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
57KB

MD5
5d5389fbc547c1e98ee31cfa8bb98fd0

SHA1
8ab7be3a2d1ac81ee7a75addc70bbc8feb6d1eb1

SHA256
9e0b374c44e99cde7dfd4a09261ec9ec6ad131ec8ea4743b84460ca93e1f62af

SHA512
dab04c3de2c9345721d49fb2bec5d7c4d5fae6f409de3e497a8f225705d8b69171de68a0fa41a691242df970db4a2cdc614bbf0f8c3cdedc1d709be5117802b8

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
92KB

MD5
7b6d7e50f6135928783a0db930717d08

SHA1
6bf3a50bfdc69f97a13efe3f0bac6669ff635edf

SHA256
13976b91e7d5a482a62797102e0a0bbe2e3a0a40ef6114893178bd7ce6a76f3c

SHA512
89e64daaf338f5452bfd34fff21ea207e441e17aac679f6441a25d4b619f63fb762c1d42f0529351ccbb2c14bcb89dcd8dcc5f7037996aa4d39682505b54e7ef

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
92KB

MD5
6ccbf46bf21fb00104b5c0a811e6cba6

SHA1
5c31dfca2bd2f1cf36617ec14eb9698f42afe479

SHA256
ccffbbe95ae6d4b522e613e02917e32f383c2cda1b23fe9c3b2947fa37a0c074

SHA512
b9433f5c341ccb9e948fc9f9fc0b424a6eb2b010f89b53af269838e3ff1f511a182679153f98b323aa28851eaa2cb7844191225b492f2a26a398e04644073ca5

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
92KB

MD5
bbf51ec6b035b34d1e5c4de54d777dcd

SHA1
7eb5aad6b06d9747a4b63ac1106000bba6aa6513

SHA256
d23655e8ec9709bf90e4530d9aed7c878fa18acccabe5ba37a47e66ba45e0432

SHA512
1a0d9b90b8d47b24358cca67096d4491080e6d9d13288d07ee96e48b7a335fe8217701a03d1227d296af3437d78327f1bc58964b89831d7069808c44a4a1fd82

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
92KB

MD5
2f94d6133e1b05dcb197f3f3262f3b1c

SHA1
57633978dd59618047fc84a6789837664436c0a6

SHA256
2036d57ad5ae2748f9caad3e08f5db7875c95203b3a8bf56ee30b3774813a9b6

SHA512
b5bcb69afe30a92d06ed2e667cd986f3f16c9072833359b7fd154746fda93b736758aa531db6cc6d3c0e1241f42904e706980bff311f7ffb0af8e1b1d82aa91a

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
92KB

MD5
c03d328f9ed9d0212de5c18395065c35

SHA1
599b6a3c39dc77c1364e14ba9a242215f8443535

SHA256
552d3ddb945ae9336ef363de4f21d43aa069343288ba327a68db441ff6b1b88e

SHA512
4b5ae5a412a77a2663309b7ea2b79b08e8e353a0ba99f6a5ed81b32a65028e28473fd7614b970f0e4f7274eca55023ec5f46967c76e47eeba2c8ebb83811698b

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
47KB

MD5
11c579da19d68afb41e85fa85f0cbc30

SHA1
fc856e972a29678ae5cb2b8e001bd846ce5ef774

SHA256
f6eb01a9d918ebdaa1321f8419ddccd8cc1db7a67bab00df8e4c2b70b39c661b

SHA512
15e4f98f6e8ee0c3cc529f9ba8780bc4d4e1a20e6c942958bd3c08516b349dc3ea4e5cf6f2016e32a63ecaa576c8ee2d4be6d24db86785836761634b28682c73

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
1KB

MD5
da8c83a49b4c03d70927b875bd42d530

SHA1
23414da180eb0027d967d151a186b7dd599ee665

SHA256
8b8c0cd50f5c38212ab3dad4dd603e42152c23014fd1da97e6db811f9c90f1e0

SHA512
d5a06e4d4d5a4e6efb22acf64867a5cfa423650fdce7b7a7e45ba06809bfd64bf0c6d1e26a8b79ce2a9fba4a320f6bb8f45469bf690cf102da3e5a720183c0f6

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
92KB

MD5
debba6304f8b3602ccff0b75bc30635d

SHA1
2d621cf278c219c4538d32d9dbc94106e5ad93f3

SHA256
df863eaad0318e2d48b015a6b2199e54c1c1c8c21eb3f3c303ab1091db18ffe0

SHA512
d95b90131b92e6d4aff6c00e31d3d6a192cc58623a9bf119e8cf27e618abb55942e57d0124625ddc7a63aa2b40fad269593e02f827d39b8580193115f606b331

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
92KB

MD5
e8d454fcf6772ae897dd039558d59c11

SHA1
ec34833e39dfc6cbc88ea382d3556ddd4328b502

SHA256
85a0debb88085a35ac5734334a8d732f0ab7a2137a0db86c7c5baf38aa81c5d8

SHA512
1170c85caa8b913ff48c8c5fdaea1839d0f37cd48f6ae82770a8c973b1be470967ff7cae0bad1df15aeb10635a08d15b51e1743ede51faf8d7d3fd4974588ae8

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
92KB

MD5
c986679e2282d15e56abd73acbdf96e7

SHA1
fe69599dc00d12e602c52d2fc5c234520bbaa8e7

SHA256
56f8144f650f336038e43ae877945376fe66ea2d4835deb05c27a38a79a78887

SHA512
4df44c0478ed2a2192a9836aa8b8dca955ca234abf705347fee642be622dafce92dc721e43359aa14048376a5d5373cabffccd7a6dcd6e1ede930b9acdac477b

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
92KB

MD5
f59b3f7731ea595151e3a3008661aa04

SHA1
8e346522baa78a07c7d57a8f004ffba6e7815664

SHA256
8b83c3f18e5ac42bf5e50c6e795860f493c29788236bf228c30f92b5c8d6478a

SHA512
a667829dd51fb12d90e1839112b4dc2d13547dd725ba685462fc6140c85366d87d79c982b50e09e5cb0587c36cb60f6de4bc4c223eca9a84125a20527a18a26a

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
92KB

MD5
e087ecb96fc9981368d316bb8f9b1952

SHA1
8f375f6bccc72f5502fc523fa22729dc1587fc54

SHA256
a212b760e0cc9c0e20403d097490d1de602a9cce202d88a05bb59f4435fc2069

SHA512
b2e55a486c2843e36eae0e787a7cef6eafa09d581d1dfaeb8206d48300bc9958f03914f3992dc35b4704d9d5cae55e43a4dad765f03be4761c21ab5e39067d7c

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
92KB

MD5
8904669bee08304fee85a5787357b289

SHA1
45cef7e876aaf18b65c50667323ff188ec1b5add

SHA256
d8c0d07fd0831f601734c63a79381eedbfeaef662c8298447cb64545bdefe573

SHA512
ae65e7eaef86bdb6727025cc419c5c68092cadd68c05659ddfcfb6f3c171b70989a8661f7736c82117f77269395b5240610c29fd72c7d0afb94a3e5b17a30815

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
92KB

MD5
930f3267e96c6a36e325b1f496421423

SHA1
10327be3732a05d294da1988f71f8cf98fc16da8

SHA256
6fbcbbfc36ea44af95eb57afad4486a26134abe781d8f83b251c1be425185e02

SHA512
7bb9e8c01c343bd1e26a91ff65b563113245922dbde1738a36f5329713c7cc1b8178630df91c84bf362fcee2a8c2eacf7226ea176cf6185200d909c2bbab3318

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
92KB

MD5
0117a6c837dad0f5b74b710398f1247a

SHA1
cf3fa1df74a05a7dcca18b14d7a983586a0e69d1

SHA256
281ce79fcbbcfa9f47b8956b2e76379bd3bf715cde1410d3d81760cf85b08a0a

SHA512
0d5d27786d827f5f2241f2738f2f50a0cef8b4e5ce906154f6f70d0c98b2cd9fcf821dfb30a9817e4fb3a8582ff52cf5440c043f9431cd987e8b0c4bd1c4de9a

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
92KB

MD5
df348f36e3ae43aa32e1ef418e7569a5

SHA1
5ef8ae3456e30a15196148bd33408982f4e7329f

SHA256
7baeb2b7ce9c9e8f3a982e59c51d8831a12941058836f6a6a4375b993c87b6fc

SHA512
27b41bc6acd73642d22a8fb1bac1ed1b65b2cf5844a11a7a341e923ac46ec9d622c780dd823b37709525ab50327e4c52ea554a29757f1b1ef82103eba3d8561f

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
92KB

MD5
fca6be92ed53da82c0fd24074102d6b5

SHA1
516f286fc1a4bf487a698a21257e089b838b3b53

SHA256
010632c7b3daf3a454442fcfcc44199b77a2a2e41f22fe52956662f26863fe9f

SHA512
0aec9b1e16f926af32f702239166e7d2086551c39bfa90c67d5452243f4a96fe9969cd8f8db601af7a8a08d93e3b537ff09216bf67c23edcd6795b2fa6ed8ddf

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
92KB

MD5
6d3981d5d3667a24264d1095dc94e255

SHA1
95d3b2a1970a224a436b5e726409ed22a791cba9

SHA256
9fa86f8bd59d7ec9f92824e4294313fc0713ad562f0df8cdaf8db14083984328

SHA512
3dd0eed6051a1ef7ffb6ffc116468b8a4857d20ca1d14d75b601dd5c71bb718afe71f0bd406bb84427ca984b2bae626ad0e2255e604ff5e9ee2e4898f1a6d0fe

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
92KB

MD5
287e41c2c216e299c133c2eff2a7e591

SHA1
0b3a6f5bd529df7c2ac4b51b5aaea104690ac893

SHA256
3f9965c4296c1683ce6248a15f4bb041620c17eb0963814aa7836e875f8b6c12

SHA512
8c290461cb908ce0a408ba5483741df5134058f736546c36716ca567ae7227b7fac6bc54ea7cbafe49e7be13e3f53cd81a76a953a1f7c701078e9566999ae60f

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
92KB

MD5
9f54fe0cbbae0d84f92179b8929bf5c8

SHA1
73f301544b01135a54cc15fd3f0deded2146b3a8

SHA256
39379807fe3038854a94f9123b51042bbb034a80c808b87dff6a79d6ffe5a5be

SHA512
6c3c491d3b8f9aadb7b82d6543571c7ffca34ef50169ae6426b796ded7987155269070a0280ff486eb2be7fe922a51da515ae0142786bbb6b9bf15dc7d99af47

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
92KB

MD5
cbb8296ef5935b0645da2881f6a87e13

SHA1
62d7ebf33167fca507eb50fe08daacc647f910cb

SHA256
9249507e368cbe60fb072f25dd961984c3fe3ecd2b14486b79690808f55ac2cc

SHA512
95fcc3b1957e6454edd9b7df441a0cff5dfed2de1b616153893e13d67416266aac36532b43db5496318499938640afc2ad58a4cf878cc7bf96636c6c2daca4a3

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
92KB

MD5
60266f1630178115f60c0c5e0905c85a

SHA1
103c3938bd85fb7b6b64c23bdedb1f82cc317f06

SHA256
2efbea3bb673d5d2af86d60ff8909ad3ffbd104bcd896bfc5b753b985c0d163b

SHA512
fcde18225bded8a9e7af4fd814fb47979e4281ee4352e4e001ff97aeb90d1fa919f1dd66ef31ca2f4778614b4fd662d94df35218d84b572ff95e19ce9e021c54

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
92KB

MD5
997ebe2872bd9cc307a31faab0a4aaf2

SHA1
7090ca4a1b66682957829aa7a09e1ad0ae62a4ed

SHA256
eceb963ffdc82cf4b22e372b6d48f0e0e49c35c462696861544cef8c0ffe240c

SHA512
fe56aae11974a29c7a5813f346fb6a60586beb5b005484efad1058d85b3a28cd1c442e26ba079199eec9836c73be71876bc2661a6e8f9b19772c420e923956f4

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
92KB

MD5
2dc32ece89601f3e9a384c8713d9d58e

SHA1
2159151a2188ff2110a9e74611c3d347b8af7799

SHA256
a65a59458f84281563d1b157796d0e1065246448718658511a5f1a22e145a79a

SHA512
e2d4b59b76236a638be87d42a2e2eb03106a0bba31624b9d91262a2b81700ecb0305b55e9c1ecea97edccc3da29ed667fbb4449f91b2f45333314676b7e018d4

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
92KB

MD5
635ad7e19ed5bda27305dfd26ef2ab86

SHA1
99ea209808ef98db2887db7ba03ef5fac7609c9d

SHA256
910f81074175a5d0f5df8172fbb141331f5b09ba8fca5117b9a5c416480fd75c

SHA512
c67ed5f5675e470636b710ad0438c26b39b5786f62c2eb147cfa60ec92a1263196eb8e79ca9c379e70e1f8073e300434126dc5dfeda440c90729e1fb6072efe6

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
92KB

MD5
4b3be576804e434404426fb8ae346dc1

SHA1
4d168497f4834ca9a18c6dc94669b55ce31c13f5

SHA256
7808bb533e57ffed94dddfa81f3929f69463b34f3b7f772f62770f869ce6d99c

SHA512
ead4e3a5bc8225f59ee880569200c4e3f549e79b970aa5cdb8c7b36e33bb9bdeb379bf1d6448b255af8719b92e0dae5d34d20d2f74458afe62be676fc6a1234b

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
92KB

MD5
254f7bac0b703086c61c5c9a3db77400

SHA1
817a3cdc3c3d3c19ef394357ba5d5f92a4c4c3c5

SHA256
e1faecee9a181c42e855f174284657bcbbfc517f36210338103805c1a02ce870

SHA512
7ed32835d703dc3578eb8661163d24adbf0a546b32d001e940c58fe4f8764c277ea0c8df5cd71b628bcb01d5ea4c75c07d879cc78449d592710b3edc977e302e

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
92KB

MD5
4e691b9867ad8cfe736f5b6ad6f00beb

SHA1
1e9c99503ff6bcc2cc9c0ca0f097296287e7b322

SHA256
d39fe2cd224eb4a272dd72b2d492b665319d3cf8689869ef5873b9f1e9bb12f2

SHA512
905a060386c7ef4d54e01925a4f3db2e9fc447a19033857974ee298a67d72cdafd9d6d12603b3bce445da7d1d9207bbabbe092b500d1c8bd27fd70182fcdd70e

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
92KB

MD5
f79244d0cb75a0e8b28cbf05dd067561

SHA1
b5baebc92f1657be9565854f3d34fada05ade40c

SHA256
f02e24f1bf7cceb68b9009fd48301f417573b4f1508343b9b25c78765d5d32c4

SHA512
281f15fa1af35c6b8b9e6012e5fea47a09afab85a25f2a1edcccfb8b6fe94c442544609ba21b11aaf6f32271ddf259fbe64a1c6386cc33a8e548e34ba208d127

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
92KB

MD5
66161e7fc14c30fb8eabd61292b2b8fd

SHA1
c596804539253a0c76d29ab7f0fed4312bcdf843

SHA256
001f2181a47d7cce4a5024a083020e0d380209d5fe9384cea4dabf414d5a71a7

SHA512
94a24deec19a59e6acfca7097ff847a62cab45ea92ac8b386e6440a6f7280624af4fe5fb2e4a590fdb046ca03b3182c45d0b53e0a3a42a9a2c8e7a1a5d07c1a7

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
92KB

MD5
00e444aa871dc31b2970a961815a57f4

SHA1
a489c63cc06379efb706134b9dc226c13348f7f3

SHA256
ad9a00d2c9f1329985d2261af57a23d071e2ed1696c7e9e3aee139d5e34d64fa

SHA512
aceae6738005613735db0c8464e0f30e51cb682621d58d407d85e0c9ec12dc65cba07796d106ddc9e6fe342cfc7b94d50081fd832b86316d35dd2106f4ee810f

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
92KB

MD5
54c8f73111306f618c98c01a7fb4dc91

SHA1
541d4dd9cb2df1c465aad5b9d2f52d9c76fa7697

SHA256
457af987b7b55cef76f882644450d9528e0878473c45f4fea2607dfc1100a94b

SHA512
d74f60880bba45fa148b9d44b617372502f0c017b3b6cf107dde5b5ef8c61a264e9357313dd699d9d0319fcb6104f74c9044df9a75d15ac90886a45dbdfafddf

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
92KB

MD5
902703451f509b2bf3e4e3ee2ca5d0f1

SHA1
8325ad74cd58ab58856bd468974ced6050849fb4

SHA256
915776f6955fbc6f28144630a48a1df6395a8d2cb2cd4f36489f5c9877c1ee57

SHA512
b0a6b97ecc8a0c540cdc37dc79482b1b05ac7bd2adeedbdaadf1c95b41f15247f28c269242c8a66be964102f8a9eb8c54b31e9711cfc21e4572cade50e824cb9

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
92KB

MD5
546e06d21d66ee14c7e8d22d67ad9fd6

SHA1
cd04cee7fed483d637bc897e7d5011a7f7ea8176

SHA256
0c0d91a70ba5856976ad360d71c1438d40cc1a23e1129040f3515bc826c9d4e1

SHA512
dd3cee13c2d4fe85bff86c6c8fe5664fea574c3e6c4dc63ce446d2a4c2e9ef6235497f0cba6e5228245a5320a17c10155ac3a5b97d24074f8c4597248e9f13db

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
92KB

MD5
4e613d7aa65a591447ed81532bf9a62a

SHA1
13576008a5dee020fde6239fc53570179baf5c72

SHA256
c6975a846c530eefc5495debbb44a61632182e80a2797163340acfd89125dcf7

SHA512
694a031d0722dcc049f6dd4e69eea19d93655305da8665de7aa468632141dda60e651225af7b56226ef8131a55a5a10e793d51e88117d7602d76a0a2f2242652

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
92KB

MD5
b56de0e26067bc11234170af99afa89f

SHA1
b30199c87d4b16a7a14902ea5d5afcd90dae4c02

SHA256
69fa7acbd4af9310cb698e65395ca820805108a697c0b5ad2f69b2f6ffc3b0d5

SHA512
59aae91efca802b7c4607bebf47ae143e3ecda577e17dc2ec39548741f41298d5b55831464da9c8cfa08d23f77653fc62a6fe2c0f373d2cb1b3c8b0528b87786

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
7KB

MD5
cf8f5a558d80abcdae5aa670239b6af9

SHA1
9286a177b155a4175c702c89a647d54992590ff3

SHA256
f3dfd188731c15aefa94f67414bc29c0ad0105759777bd21ce291ab0820fb18f

SHA512
21efe48a0cf72ce96edcb7f8c1910996ee29eeabd4f594d8f84a4b9cd53094ce3ad38d0cc8cd02e4dc5322e55a3eee5a6a2244b3b660a9194e900218c24e393e

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
92KB

MD5
269c9d1af361f227c1ce4184fcdd80ad

SHA1
92027a8a47e8e71747ebcd30e28211dfe3a2f526

SHA256
486b32ac82b721c822874cf00f0cff886301e931d7cf6000214ccc4081f282d0

SHA512
b21e442669a3453e730eba024e9dc28079488181e26222133e201504c828e90f905eed20b3223456115d69cba65f87864c29acd647b93c6f5660a26f961f9a6a

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
92KB

MD5
13594ada45b64fdf15ec2c525da31346

SHA1
bed30d38b7891a394e625083795f9c553754a7ea

SHA256
cf92ef981457375179e71756fe7b282336fa7eae31bca71291a96471f10c0b0e

SHA512
123889dd46f702fb0beea9d2f22829b99b5cfb9c1b61f35411cadda9036ec3b00624d0ed6189ceeeb5d858f7247acd7362ed220b5f91c9728c1b52ca27e20e24

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
92KB

MD5
b4ca6d183c2fedf2377dcb0600fa123e

SHA1
7dd4cec288a1c187ac985e6498de70db066bc0d4

SHA256
5e9037d864fb35bf45ee2030da6fab0af9a431ae25f3805f996d14e22bf780e3

SHA512
d362a5e374ebb10310867c3ecd6eafdcd4715d36ecfe14388674a62105e11f99ef17a0e301da419a9fd4573617d31f444ed4edfc3cda36933f14e8d6809a7d13

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
56KB

MD5
bbe5d1a10705c842ac939645a8dbd8cb

SHA1
28a6d08a6e5973aced8ad09ccda7c95e67a2bad7

SHA256
dd1ecbb5347675aa6da1ebebd7242f5b980ffed6c436f2cb0f40b01a533e4566

SHA512
e53e4ad3515c7e55ecfe985701e6af00cb740571ef6b4d20afdc6420cecff88ca46c8f268a14067fa61d00d5bea56304f691e9666bbcfdfc61f30bc4dd17d768

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
86KB

MD5
8800917c7ce50a714793f16e0f762a40

SHA1
86cc9d18e82cc7826cef912b75b3e3a943c57de9

SHA256
dbbe3c860724a4b290184c2014c610d740404c2d63d35738cab5137062e28b88

SHA512
e5fbb8d8f0e1200ce84f3bad9e3bb40f68af0716b23be223ca1f92429954f3070140c3a8f8bfc0f410f1c2ce517ea96d9c1a8105759aa8e8b2b2cac5d9f04153

Download Submit
memory/396-185-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/432-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/560-399-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/696-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/744-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/768-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/876-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1060-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1100-77-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1128-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1200-443-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1384-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1516-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1524-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1604-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1652-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1660-61-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1672-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2148-431-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2308-101-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2344-92-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2440-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2460-169-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2504-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2516-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2584-303-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2648-405-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2656-145-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2732-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2840-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2976-209-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3068-49-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3216-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3400-113-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3496-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3512-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3516-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3688-429-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3780-380-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3828-181-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3852-9-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3924-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3940-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4032-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4116-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4116-5-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4220-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4268-387-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4280-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4292-137-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4348-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4372-193-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4380-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4448-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4480-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4496-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4504-345-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4704-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4716-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5004-201-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5012-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5044-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5080-37-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5104-273-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads